This tool encompasses two distinct features. It guesses the IOCTL values that the driver accepts and also their valid size limitations and store the results are in a file for future reuse. The second feature is comprised of 3 dumb fuzzers: a pure random fuzzer, a sliding DWORD fuzzer and an asynchronous fuzzer. You can run any combination of the 3 sequentially and can set time limits for each fuzzer run. The sync fuzzers will also warn you if too many requests fail in a row (indicating further fuzzing might be pointless due to lack permission for instance) and the async fuzzer allows you to set the percentage of requests to attempt cancelation on and the concurrency level (how many pending requests at once). Other features include control over the verbosity level and the ability to stop any fuzzer run cleanly with ctrl-c. Upon completion each fuzzer will display cumulative statistics.Usage:

-a[max threads]Max number of threads,defaultis2xNbOfProcessors,max is128

-c[%cancelation]Async cancelation attempt percent rate(default15)

-f[0-7]Fuzz flag.ORvalues together torun multiple

fuzzer stages.Ifleft out,it defaults toall

stages.

0=Brute-force IOCTLs only

1=Sliding DWORD(sync)

2=Random(async)

4=Named Pipe(async)

Examples:

dibf\\.\MyDevice

dibf-v-d-s0x10000000\\.\MyDevice

dibf-f0x3\\.\MyDevice

Notes:

-The bruteforce stage will generateafile named"dibf-bf-results.txt"

inthe same directory asthe executable.Ifdibf isstarted with no

arguments,it will look forthisfile andstart the fuzzer with the values

from it.

-Ifnotspecified otherwise,command line arguments can be passed asdecimal orhex(prefix with"0x")

-CTRL-Cinterrupts the current stage andmoves tothe next ifany.Current statistics will be displayed.

-The statistics are cumulative.

-The command-line flags are case-insensitive.

Using the Named Pipe fuzzing provider

In order to provide fuzzed packet to the Named Pipe fuzzer, connect to \\.\pipe\dibf_pipe in PIPE_TYPE_MESSAGE mode and send the fuzzed data. The last 4 bytes of the packet will be interpreted as the IOCTL code. Additionally the named pipe peach publisher can be used to fuzz named pipe endpoints outside of DIBF scope.Connecting to Peach

The provided Peach publisher can be used to connect Peach to the DIBF’s Named Pipe Fuzzing Provider. A sample Peach XML file peach_np.xml leveraging this provider can be found under the PeachNamedPipePublisher folder:

IOCODE
Simple encoding/decoding utility for IO codes
This very simple tool encodes and decodes windows IOCTL control codes. It provides a user-friendly way to deal with IO encoding of device types, function number, transfer method and access type.

1

iocode.exe[IOCODE]oriocode.exe[DEVICE_TYPE][FUNCTION][METHOD][ACCESS]

IOSEND
Sending single IOCTL to a driver
This is a tool intended for proofing vulnerabilities and is meant to be used in conjunction with a hex-editor. Once the request of interest has been crafted in it, this utility will send it to the driver using command line parameters. The response gets sent to stdout. Arbitrary addresses can also be used as input and output buffer addresses.